How to block China and Russia IP address ranges from my VM?

Question

How to block China and Russia IP address ranges from my VM?

GNB 20

Without incurring any additional subscription costs for firewall services (beyond our existing core B2s subscription), how can we block all IP address ranges from China and Russia from accessing my Azure VM? We're not running an e-commerce site and only need to allow access to US IP address ranges.

KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-04-05T17:30:58.0466667+00:00

@GNB

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I see Dillon Silzer has addressed your query. Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Cheers, Kapil

1 answer

Your answer

KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-04-05T17:30:58.0466667+00:00

@GNB

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I see Dillon Silzer has addressed your query. Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Cheers, Kapil

Answer 1

Dillon Silzer 57,831 Volunteer Moderator

Hi GNB, This is not possible with the basic Azure VM (Networking NSG) function. This is a function that allows you to create inbound and outbound rules with limitations. Unfortunately, what you will need is:

Geomatch custom rules

https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/geomatch-custom-rules

Create and use Web Application Firewall v2 custom rules on Application Gateway

https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/create-custom-waf-rules

Understanding Pricing for Azure Application Gateway and Web Application Firewall https://learn.microsoft.com/en-us/azure/application-gateway/understanding-pricing If this is helpful please accept answer.

GNB 20 Reputation points

2023-04-04T01:29:11.1766667+00:00

Thanks for that, Dillon. Very helpful indeed. I wonder why we couldn't do this by adding an NSG inbound security rule to deny a set of country-specific IP address ranges?
Dillon Silzer 57,831 Reputation points Volunteer Moderator

2023-04-04T01:40:51.1733333+00:00

Hi GNB,

You could try to create a deny rule for a specific port with all Chinese and Russian CIDR ranges. I have never added that many ip addresses into a rule, but you could try: https://www.nirsoft.net/countryip/cn.html https://www.nirsoft.net/countryip/ru.html
GNB 20 Reputation points

2023-04-04T12:32:31.5766667+00:00

OK, cool, I'll give it a try. You mentioned creating the deny rule for a 'specific port,' (e.g. 8080), but would it be better to create the deny rule for 'all' (*) ports? Just want to make sure I'm not missing something.

Share via

How to block China and Russia IP address ranges from my VM?

1 answer

Your answer